Clearwater Identifies Cybersecurity Risks in Healthcare Industry

The Clearwater CyberIntelligence Institute (CCI) has announce that it has identified the three most critical cybersecurity risks facing the organisations in the healthcare industry.

CCI, part of Clearwater Compliance, a leading healthcare cyber risk management and regulatory compliance organisation, performed the analysis on data obtained from IRM analyses that have been conducted over the past six years. It is the industry’s largest database that focuses on the cybersecurity risk profiles of hospitals, Integrated Delivery Networks (IDNs) and business associates, containing millions of records. An analysis with this scope has never before been performed, and the report offers some unique insights about the most common vulnerabilities in the healthcare system.

Deficiencies in user authentication, endpoint leakage vulnerabilities, and excessive user permissions were identified as the areas most vulnerable to patient data breach. The report revealed that almost 37% of high and critical risks were in these three areas.

“Hospital executives should direct their immediate attention to these three top vulnerabilities and consider action to reduce their organization’s risk profile,” said Clearwater’s Jon Stone, who leads CCI and serves as senior vice president for Product Innovation. “It is critically important that hospitals and health systems evaluate their organization’s information systems to determine their specific risk ratings on these three critical vulnerabilities and take the necessary steps to close any gaps.”

The most common security weaknesses in healthcare were user authentication deficiencies. This includes failures in organisations to implement robust protocols to correctly identify users that are in their network, and failures to verify the level of access that users should have to an organization’s resources. The cause of such lapses in security include the use of default passwords and generic user IDs, writing down passwords and hiding them in obvious places, and the transmission of user credentials via email in plain text.

User authentication deficiencies were most commonly associated with servers and Software-as-a-Server (SaaS) solutions. Clearwater also notes that more than 90% of healthcare organizations said they had password/token management policies and procedures, but further investigation revealed that the organisations often failed in the correct technical implementation of these procedures.

In their report, Clearwater investigators offered some recommendations to organisations on how to foster a better security cultures in their workplace. This includes enforcing the use of strong passwords, enabling single sign-on, and implementing rate limiting to lock accounts after a set number of failed login attempts. Of the organizations that had user authentication deficiencies, 84.4% had deficiencies in password requirements, 52.2% failed to implement single sign-on, and 40.4% had not implemented rate limiting.

Limiting the use of admin accounts and restricting the systems and data that end users can access was often not adopted by healthcare organizations, despite being considered some of the “best practices” by cybersecurity experts.

The failure to restrict access to drives and networks not required by users to perform their work duties increases the risk of a major data breach occurring. The potential damage caused by a breach can be mitigated by restricting user permissions if credentials are compromised. Healthcare organizations should adopt the principle of least privilege and should only give users access to data and networks that they require to perform their work duties.